Is your agency required to have a privacy officer?

Related Links

In the fiscal 2005 omnibus appropriations bill, Congress may have whispered when it meant to roar in demanding that all agencies appoint chief privacy officers.

Lawmakers thought a clause in the bill would require all agencies to create the privacy job. But administration lawyers are looking into the possibility that the bill specified the wrong section of the U.S. Code to make the provision apply governmentwide.

The Office of Management and Budget's general counsel is reviewing whether the provision applies only to the departments of Transportation and Treasury, the General Services Administration, the National Archives and Records Administration, the Office of Personnel Management, OMB, and a host of smaller agencies, said Karen Evans, OMB's administrator for IT and e-government.

E-government help

The spending bill, which President Bush signed last week, also included $3 million for the E-Government Fund, $2 million less than requested, as well as other language that could help e-government efforts.

Lawmakers removed a provision that would have eliminated the chief architect's office. OMB recently named Richard Burk the new chief architect.

Additionally, Congress removed a provision that would have prohibited the Interior and Energy departments and Agriculture's Forest Service from spending $13.3 million on four e-government projects.

Lawmakers also deleted language that would limit agencies' efforts to open federal jobs to competition from the private sector.

Overall, civilian agencies received a 1 percent increase in spending over 2004, with discretionary spending rising to $388 billion.

Under the privacy provision, the new privacy officers must create policies for privacy and set data protection rules assuring that technology does not 'erode privacy protections relating to the use, collection and disclosure of information.'

The officers must conduct privacy impact assessments; prepare annual reports to Congress on anything that affects privacy, including complaints of violations of the Privacy Act; and help design training programs for employees.

Agencies also will have 12 months to im- plement comprehensive privacy and data protection strategies.

Finally, agencies must have their privacy procedures independently evaluated every two years to check compliance with laws and measure effectiveness.

The administration and Congress have been at odds over the need for privacy officers since Bush first took office.

Lawmakers tried to include a privacy officer requirement in the 9/11 Intelligence Reform bill, but the White House succeeded in getting that language removed. The administration also managed to get language removed from a bill last year calling for privacy officers at agencies with homeland security responsibilities.

Congressional staff members questioned the OMB counsel's review of the provision's scope. If OMB rules that the provision affects only a few agencies, it is misinterpreting lawmakers' intent, a staff member said. 'We could seek to clarify the intent of Congress and that is easy enough to solve,' the congressional worker said.

The staff member said OMB did not raise any objections to the provision during negotiations on the spending bill.

Technically accurate

But an expert on appropriations law said a limiting interpretation is technically accurate.The bill put the language in Title V. OMB is reviewing whether it would need to be in Title VI to apply governmentwide. The legal expert said Title V usually applies to the appropriated agencies and Title VI governmentwide.

Even in its less sweeping approach, the language might be short-lived. Last week, Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, introduced bills to repeal it or make the officers report to the agencies' CIOs.

The language 'merely creates a layer of bureaucracy that contradicts existing federal information policy currently executed by the CIOs,' Davis said. 'Furthermore, the section attempts to address information security concerns that are already addressed in the Federal Information Security Management Act, the Clinger-Cohen Act, the E-Government Act and the Paperwork Reduction Act.'

But no matter what the outcome, privacy advocates applauded the congressional effort.

'Congress is telling agencies to devote more resources and pay closer attention to privacy,' said Robert Gellman, a GCN columnist and privacy expert who formerly worked in the Senate. 'But the real impact comes down to OMB's guidance and how agencies implement it.'